Virtual LANs (“VLANs”) are well known today to simulate physical networks, and interconnect real or virtual devices on the VLAN to other, real devices external to the VLAN. In a typical VLAN arrangement, there is a VLAN switch with multiple ports to interconnect to respective external real devices. The switch also includes one or more ports to interconnect to one or more VLANs, such that the external devices can communicate to devices on the VLANs via the switch and the VLAN on which the target device resides. There can be one or more virtual or real devices on each VLAN.
Each message (such as a frame) packet received at a port of the switch from an external real device identifies (a) a source MAC address of the external device (such as the MAC address burned into a network adapter card of the external device), although sometimes a hacker will insert the MAC address of another device in the packets it sends, (b) a source IP address, (c) a destination MAC address corresponding to a target device if the target device is on the same LAN or VLAN, (d) a destination IP address, (e) host port of the source device, (f) host port of the destination device, and (e) control bits or “flags”. The packet also includes a “body” which includes data needed for the request. VLAN switches include a Content Addressable Memory Table (CAM) which identifies which MAC addresses are authorized to send packets to which ports, and also identifies the MAC addresses of target devices on each VLAN. The VLAN switch uses the CAM table to identify the VLAN of the target device based on the destination MAC address in the packet. The destination IP address does not always map one-for-one to a VLAN for the following reason. The destination IP address in the packet identifies a subnet that is logically defined by the VLAN switch. Each subnet that is logically defined by the VLAN switch may comprise one or more VLANs. The VLAN switch attaches a VLAN tag to the packet to “route” the packet through the switch to the VLAN of the target device.
For security purposes, typically each port of the VLAN switch is programmed to recognize message packets (such as frame packets) from only the (source) MAC address of an authorized external device with the proper MAC address embedded in the packet. The recognized MAC address for each packet is listed in the CAM table for the switch. (A system administrator previously programmed into the CAM table the source MAC address of an authorized external device for each port on the switch.) For example, a Cisco Port Security function in the switch compares the MAC address of the sending device to the MAC address programmed into the switch. If they differ, the Cisco Port Security function can disable the port, so the external device with the unrecognized MAC address cannot send any more packets to any VLANs via the switch. This is important because the external device may be malicious. Alternately, the port can simply drop or discard any packet from a source MAC address which is unrecognized. While both solutions are effective in blocking malicious intrusions into the VLANs, occasionally the external device which possesses an unrecognized MAC address is friendly and is improperly being denied access to the VLANs via the switch. In such a case, the owner of the external device which is unable to access the VLANs will notify an administrator of the VLANs or switch and report the problem. Then, it is the responsibility of the administrator to determine whether the external device should be allowed to access the VLANs via the switch. The administrator can make this decision based on the administrator's knowledge of the network architecture. If the MAC addresses should be allowed to access the VLANs via the switch, the administrator will reprogram the CAM table and switch to recognize the MAC address of the external device as authorized. Consequently, subsequent packets from the external device will pass through the port and switch to the VLAN of the target device. While the foregoing process is effective, there was too much burden on the administrator and oftentimes, too little information, for the administrator to determine whether the external device should be allowed access the VLAN via the switch. Also, packets from a friendly external device with the improper MAC address were often discarded before the switch was reprogrammed to recognize the external device as authorized to communicate with the target device. The switch can be configured to pass packets from an unrecognized MAC address.
There are other types of “incorrect” packets, in addition to packet bearing an unrecognized MAC address, that a port of a VLAN switch may received. Some “incorrect” packets are improperly formed, i.e. deficient in their form as defined by the applicable standard, for example, a “Christmas tree” packet where all options for the protocol in use are turned on. By way of example, an “ill-formed” packet may be missing a field specified by the applicable standard, the data in a field may be longer or shorter than specified in the field, the data in a field may be one type such as numeric characters whereas the standard specifies alphabetic characters, etc. It was known to configure an intrusion prevention system for a VLAN switch to either block or pass “ill-formed” packets.
A known “Cisco Guard DDOS Mitigation Appliance” function in a router limited the rate of packets from a specific source IP address when that source IP address was thought to be conducting a denial of service attack. The router discarded packets above the specified limit rate. An administrator specified the limit to be applied during a presumed denial of service attack.
An object of the present invention is for a VLAN switch to better manage “friendly” packets which bear an unrecognized source MAC address, so they can pass through a VLAN switch to the VLAN of the target device without jeopardizing the target device.